Should Your Company Consider A Cybersecurity Disclosure Policy?

Cybersecurity breaches represent a significant, rapidly growing risk to virtually all companies doing business today. Small companies are particularly prone to a variety of potential cybersecurity breaches, including loss of physical property, social engineering, malicious attacks, or breaches caused by employee conduct. The consequences of these breaches can include increased costs, lost revenues, reputational damage, and litigation. As a result, the Securities Exchange Commission has recently indicated that public companies must consider cybersecurity risks when disclosing risks to their investors. While the SEC guidance primarily applies to public companies, private companies may also be subject to these requirements if they do business with public companies.

Given the growth of cybersecurity risks and breaches, many states have also acted to promote disclosure of cybersecurity issues. Currently, 46 states have enacted legislation that requires companies to notify customers if a cybersecurity issue compromises their personal information. The potential ramifications of cybersecurity risks may create liability not only for the company itself, but also for its board of directors and officers. Accordingly, companies should regularly review their policies relating to the disclosure of cybersecurity risks and incidents.